Dan, thank you for the reply and ideas! Essentially making all virtual
users look like system users to Postfix and Dovecot (and other services)
certainly sounds interesting but I am not sure if this won't make things
more complex than they need to be. And wouldn't this approach require
any services and applications to know how to handle PAM/NSS? I will keep
it in mind, however, could come in handy in the future.

Most modern unixes make use of nss in a way that's transparent to
applications - that is, any application which retrieves users and groups
via the getpwent and getgrent system calls will make use of an nss plugin
transparently.
An application does explicitly compile against PAM to make use of it, but
shouldn't need to know any details about which PAM modules are used, and
implementing a PAM LDAP module would not require a recompile of your
applications.

Our current setup using Postgres and virtual users, while complex
enough, is quite adequate for our ISP needs. We just need to evaluate if
and how it is feasible to model this setup using LDAP as a backend.

Postfix, as you probably already know, has LDAP support for looking up most
tables, which is how I implement virtual domain lookups.

So I guess my question is really more about how to properly design a DIT
that holds multiple independent domains and for each domain possibly
hundreds of users and groups.

I went with a flat design, which has worked well. That is:
uid=jsmith@example.net,ou=people,dc=example,dc=com
uid=jsmith@custdom.com,ou=people,dc=example,dc=com
and
cn=jsmith@example.net,ou=groups,dc=example,dc=com
cn=jsmith@custdom.com,ou=groups,dc=example,dc=com

The problem is roughly equivalent to designing a proper relational
database schema to manage and query user information only that a
relational database schema is generally not designed with a single root
or base node like the typical LDAP tree. This makes finding the
information I require difficult.